Search Mailing List Archives
[liberationtech] Yahoo Hacks [and: it's about to get MUCH worse]
rsk at gsp.org
Sun Jun 23 08:27:28 PDT 2013
[ Sorry. Just saw this now. ]
On Tue, Apr 09, 2013 at 07:54:23AM +0100, David Miller wrote:
> On 9 April 2013 01:29, Steven Clift <clift at e-democracy.org> wrote:
> > Part of the problem maybe yahoo mail hacked accounts which are an ongoing
> > disaster.
> What's the deal with that - I seem to get lot's of YahooMail spam...
> couldn't find anything reporting on it when I googled though
The deal with that is that Yahoo fired/laid off/whatever their entire
postmaster and abuse team most of a decade ago. The email operation appears,
from all external appearances, to be running on a combination of autopilot
and minimal attention from very junior and inexperienced people.
The lights are on but nobody's home.
It's thus not surprising that word of this has propagated through the
spammer/phisher/ID theft/malware/etc. community: they know a good thing
when they see one, and "very large provider not paying much attention to
what is happening in its own operation" is more than a good thing:
it's a *great* thing. From their perspective, of course.
They have moved in and made themselves right at home in a big way.
The results are precisely you (and many many many others) have observed:
Yahoo is a major source of outbound spam. They have been the target
of repeated large-scale successful attacks. Accounts are being
compromised there at a very high rate. Dropboxes for all sorts of
nefarious activities are nearly immune from action. And so on.
The fix for this is obvious and easy and cheap, and will never happen.
A similar process is underway at AOL, which had a terrible (and deservedly
so) reputation but thanks to the hard work of Carl Hutzler and his team,
managed to claw their way back to being a responsible member of the
Internet. AOL rewarded this team for their diligence and professionalism
by dismissing them. And promptly began sliding back into the abyss,
a process that is now well underway.
One of the implications of this (besides the annoyance of fending
off abuse sourced from these incompetent and negligent operations)
is that they're no longer operationally secure, even for a relatively
weak definition of "secure". That is, it should be presumed that
unknown adversaries of unknown capabilities and motivation have neatly
entrenched themselves in their infrastructure -- since we are *looking*
at evidence demonstrating that this is true.
Given Yahoo's recent corporate moves/cost-cutting there is no reason
to expect this trend to reverse. There is every reason to expect it to
get much worse. And a recent announcement from Yahoo promises to
exacerbate the situation badly in the near future, thanks to this
stunningly bad idea, which, predictably, they plan to blunder ahead
with despite the appalling consequences:
More information about the liberationtech